Posted
by
Unknown Lamer
on Friday March 04, 2011 @01:40PM
from the legit-business-is-boring dept.

An anonymous reader writes "Brian Krebs has posted a deep dive through more than a year worth of emails leaked from ChronoPay, Russia's largest online credit card processor. The ... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam."

The title and summary are horribly wrong anyway, no wonder it was submitted by anonymous coward. Even the article states that ChronoPay didn't run it, but they provided payment processing and setting up companies for receiving payments is normal process with every payment processor.

In the article that I read, a principal in the ChronoPay operation claims that setting up companies for receiving payments is normal process with every payment processor, not the author of the article. I read that as "we didn't do anything wrong, everyone else does the same thing, too." I don't listen to that kind of excuse from my children uncritically - I wouldn't listen to it from ChronoPay, either.

I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?

It was this ridiculous fake filescanner that would pop up at start up and scan every file on the computer, calling out 1/10th of them as "infected." This was Windows XP, and the filescanner suppressed msconfig and task man; in fact, you couldn't run notepad from the run dialog. It would pop up with "file infected; can't open" or some such. At any rate, this required going into the registry and checking what was in the "run once;" there was some weird file in allusers\localsettings. It was named like a random password, like asdf230123jfgnmv.exe.

The "removal" procedures were basically just to rename the file and restart. It hasn't come back yet. At any rate, while I was working with the file -- I noticed an artifact in the metadata listing the manufacturer -- I can't read Russian, but it definitely had cyrillic characters in it. Funny...

I have had to deal with several of these over the last two months or so here at work (a state agency). The people that get them swear they were on legitimate sites when they got the same infection you mention. This is probably true as we do block what sites people can visit.

After a while of deleting files it just became easier and faster to rename their profile, create a new one and move their bookmarks and anything from their desktop to the new profile. Once done, delete the old profile.

Most of these infections have been coming from Flash and Adobe Reader exploits. Maybe the ones you got weren't, but many of them are. It is amazing how slowly people patch Flash and Reader - especially with all the exploit kits out there targeting them. About 8 months ago both my boss and my brother in law got one of these fake AV programs. Both got them through adobe Reader, and both were from normal everyday websites where the ad network had served ads with the exploit included.

I just spoke with my wife about her virus and suggested it might have come in through some rogue PDF document. She acknowledged that as a definite possibility; she's constantly downloading and reviewing scientific papers and the like -- a rogue PDF could have easily slipped into the pile somehow, theoretically. I advised that she switch to Sumatra PDF [kowalczyk.info].

What I want to know is how to get them patched with a non-admin account. I want to allow already installed apps to update themself without allowing new aps to be installed by the user or being able to make other changes to the system.

We use a WSUS server and Local Update Publisher at work. It has been a bit of a pain sometimes, Adobe isn't fond of sticking to MSI standards and has published stuff with bad MSI applicability rule content (windows installer would still install it but you had to edit the xml so WSUS could validate it). They also only publish MSI files for the ActiveX version of flash player so we have to deploy the exe version of the mozilla plugin (WSUS can deploy exe, msi and msp files but msp files are the easiest).

Well he is right for hating firefox on the domain as it has no GPO or centralized management. I personally love firefox and dislike chrome, but chrome comes with msi's and gpos. So it was trivial to push that out to everyone on my network.

I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadm

I would seriously look into that. Especially given the fact that there will be no more new IE releases for XP. It should be a no brainer for even the most incompetent sysadmin. Users with custom apps can always fall back to IE.

Although I find that most of the installed base of XP in corporate environments is due to higher (it really is) TCO of Vista and 7, not to mention migration costs, loss of IE 6 is still a real deal killer.

I am still running across people that would want to change but deal with specialized portals and software that only run in IE 6. It's baffling, but when I talk to people, deal with other sysadmins, etc. that is the biggest challenge they have with migration and upgrades is a cant-live-without-it program o

The nice (bad) thing about Windows is it depends on extensions to run things. You can rename any.exe to a.com or even.bat I believe and it'll run fine. Most apps will just do name-based interception so you could have made a copy of notepad.exe as notepad.com and it would have worked. It's something I had to do with regedt32.exe once when I think it was Sasser or something took over the association for.exe filetypes.

I have seen several of those scareware pop-up advertisements on my Linux computer, claiming that viruses and spyware had been detected. In each case, without my permission, it would pretend to scan drive “C” and show a progress bar for about 30 seconds. It would then announce that it had found several types of viruses and spyware on drive “C” and also in my registry. Linux does not designate devices or partitions with drive letters or have a registry like Windows does, so both claim

If you are a particularly nasty person like me, you would have returned the favour of a fake virus scan with a fake purchase from one of the test CC generators. Do that enough times and it may raise a flag with their upstream payment processor.

I got a virus with these exact symptoms a few months ago. My wife called me at work to say the PC was acting wonky, and she had accidentally clicked an ad that brought her to some random website which she then closed.

My suspicion is that the website contained content which triggered some flash or firefox vulnerability. I can't prove it, though.

This is the most common form of malware I've had to clean up. Back when Windows didn't have 'home versions' and lacked group policy they only got away with rewriting your dlls to spy on you and create popups.

I have stopped seeing the popups altogether --now it's just 'Windows Antivirus 2010 has detected legitProgram.exe / legitTechTool.exe / yourCLI contains a virus and must close it. To remove it, click below [and pay USD$80]' It is annoying that turning back the clock fails most of the time, or the pers

I recently ridded my wife's computer of such a virus/trojan, whatever -- this day, we can't figure out how the machine ended up with it -- maybe autorun off a usb stick?

The last one I got was injected via a (apparently 0-day) vulnerability in the Adobe Acrobat plugin that was exploited by banner ad code that was hosted on thepiratebay.org. The previous one was similar, but used a Java flaw. These were both browser neutral exploits, although I happened to be running Firefox. I have since installed Noscript, which appears to be the only way to guarantee security these days. I've also recently seen something similar on a friends' computer that was smart enough to complete

The... evidence indicates that ChronoPay executives created scareware companies from the ground up, paying for everything from their domain name registration to virtual hosting, to setting up the front companies and associated bank accounts and the 1-800 support lines for entire scareware operations that typically netted the company millions in revenue for each scam.

Never heard of ChronoPay before. I had to read this part three times because at first I really thought they were talking about Norton.

They've learned well from their counterparts on Wall Street. But to reach the final level, they will need to find a way to not only not get caught, but to get the government to actually give them money for their thefts.

WTF is it with Russian, Eastern Bloc, and Chinese corruption. When i hear about scams like this i think hhmmm Russian, Romainian etc, or Chinese and 80% of the time my hunch is correct. The only thing i see common is that most of these countries are or were under some brutal regime but I don't see how that instills such a culture of corruption in the people in this fashion.